Microsoft 365 is a great product. It’s also a product that has to ship with security defaults set somewhere between “nothing on” and “everything on,” because Microsoft can’t know whether a new tenant belongs to a hospital, a marketing agency, or a kid running a side hustle. The defaults are conservative. They are not safe.
When we audit a Reno small business that’s been on Microsoft 365 for a couple of years, the same six settings come up over and over. None of them are exotic. All of them take an hour or less to flip. Together they close most of the door that ransomware crews walked through in 2025.
Before we start: every change in this list can break something if you do it wrong. Test on a pilot user, not the CEO’s account, and have a way to undo it. If that sentence made you nervous, this is exactly what we do during a free assessment.
Setting #1: Multi-factor authentication for everyone
A password is one thing the attacker has. A six-digit code on your phone is a second thing. The day you turn on MFA is the day most credential-stuffing attacks against your tenant stop working, because the attacker has the password but not the phone.
Microsoft has been pushing MFA defaults harder every year, but a lot of older tenants still have it as optional. Confirm it’s on for every user, including service accounts, including the receptionist’s laptop, including yours. Authenticator apps beat SMS codes — SMS is better than nothing, but if you can use the app, use the app.
The most common pushback is “it’ll annoy the team.” It will, for about a week. Then nobody notices.
Setting #2: Conditional Access for sign-ins from outside the country
A small Reno business almost never has a real reason for someone to sign into Microsoft 365 from another country. Conditional access lets you say so out loud: “users sign in from the US, full stop.” Anybody trying from Russia, Vietnam, or Brazil gets blocked at the door.
The exception list is small and obvious — the owner who travels to Mexico for vacation, the salesperson with a customer in Toronto. You can add named exceptions without leaving the door open for everyone.
This single rule blocks a remarkable percentage of attempted breaches, because the people trying to break into your tenant are almost never sitting in Reno.
Setting #3: Audit logging turned on, retained, and reviewed
By default, Microsoft 365 keeps audit logs for ninety days, and even that requires the right license tier. Without audit logging, a forensic investigation has nothing to look at — you can’t tell what the attacker did, when they did it, or what data they touched.
Turn on audit log retention to the maximum your license allows. Add a quarterly review cadence — somebody actually opens the dashboard and looks. The Nevada state ransomware investigation in 2025 leaned heavily on log data to figure out the dwell time. Without those logs, the recovery would have been blind.
If your current IT person has never opened an audit log, that’s a gap.
Setting #4: Mailbox forwarding rules locked down
This is the single most common attacker move in a 2025 Microsoft 365 breach. They get into a user’s mailbox, and the first thing they do is set up a rule that quietly forwards a copy of every email containing words like “wire,” “invoice,” or “bank” to an outside address. The user notices nothing. The attacker now reads your accounting team’s mail in real time and waits for an invoice big enough to redirect.
The fix is to disable external auto-forwarding at the tenant level, then allow it case-by-case for the few people who actually need it. We do this on every tenant we manage. It takes about two minutes and prevents an entire class of fraud.
Setting #5: SPF, DKIM, and DMARC on your domain
These three records live in your domain’s DNS settings, and they tell the rest of the internet how to recognize email that’s actually from you versus email that’s pretending to be you. Without them, anyone can send email that looks like it came from your CEO. With them, the receiving servers reject the impersonation.
Most Reno small businesses we audit have SPF set up, partial DKIM, and no DMARC. The full set takes about a day to set up and a couple of weeks to tune. After that, somebody trying to phish your customers using your domain name gets blocked at most major email providers.
This is one of those settings that protects your customers more than it protects you, which is a good reason to do it.
Setting #6: Admin accounts that aren’t the owner’s daily driver
A common pattern: the owner’s main email account is also the global admin account, and they use it all day to read email, click links, and approve invoices. This means the most-clicked account in the company is also the most powerful one. If that account gets compromised, the attacker doesn’t need to escalate. They’re already at the top.
The fix is two accounts: a normal user account for daily work, and a separate admin account that gets used only when admin work needs doing. The admin account has its own MFA, doesn’t read email, and isn’t logged into all day. It’s a small habit change with a big security upside.
This is also the setting that keeps a one-bad-click moment from turning into a full tenant takeover.
A short word about Copilot
Microsoft Copilot is on a lot of owners’ radar in 2026, especially in the Reno corridor where Tesla suppliers and other manufacturing-adjacent businesses are getting peer pressure to “use AI.” Before Copilot is useful, the six settings above need to be in good shape, and a couple of separate cleanup jobs need to happen — Copilot reads everything in your tenant, so the tenant has to be tidy. We’ve written about that separately.
What we do about it
The free 30-minute assessment includes a Microsoft 365 tenant review. We look at MFA coverage, conditional access policies, audit logging, mailbox rules, and admin account hygiene. You get a written list of what’s set up well, what’s missing, and what we’d flip first.
If you want to flip them yourself, the report is yours to keep. If you want a partner who keeps the tenant clean as the team grows, that’s what we do.
Get a Free Assessment — we’ll review your Microsoft 365 tenant against the six-setting checklist and give you a written report. No commitment.
Call (775) 772-6134 — Reno phone, real person, no script.